1 / 5

Security Development Lifecycle

Security Development Lifecycle. Principles. Goals. Protect customers with more secure software Reduce the number of vulnerabilities Reduce the severity of vulnerabilities Address compliance requirements Proactive, forward-thinking Eliminate redundancies, coordinate processes

triage
Télécharger la présentation

Security Development Lifecycle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Development Lifecycle Principles Goals • Protect customers with more secure software • Reduce the number of vulnerabilities • Reduce the severity of vulnerabilities • Address compliance requirements • Proactive, forward-thinking • Eliminate redundancies, coordinate processes • Improve productivity • Reduce cost • NIST estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase • Additional costs may include a significant loss of user productivity and confidence. An ounce of prevention is worth a pound of cure • Secure by design • Secure architecture, design, and structure • Threat modeling and mitigation • Elimination of vulnerabilities • Improvements in security • Secure by default • Least privilege • Defense in depth • Conservative default settings • Avoidance of risky default changes • Less commonly used services off by default • Secure in deployment • Deployment guides • Analysis and management tools • Patch deployment tools

  2. Security Development Lifecycle Pre & Post-SDL • Security Training • Secure design • Threat modeling • Secure coding • Security testing • Privacy • Response • Execute response plan An ounce of prevention is worth a pound of cure

  3. Security Development Lifecycle Phases 1 & 2 • Requirements • Security requirements • Quality gates • Bug bars • Security and privacy risk assessment • Design • Design requirements • Attack surface reduction • Threat modeling An ounce of prevention is worth a pound of cure

  4. Security Development Lifecycle Phases 3, 4 & 5 • Implementation • Use approved tools • Deprecate unsafe functions • Static analysis • Verification • Dynamic program analysis • Fuzz testing • Threat modeling • Release • Incident response plan • Final security review An ounce of prevention is worth a pound of cure

  5. Security Development Lifecycle Phase 5 • Release (optional) • Manual code review • Penetration testing • Vulnerability analysis An ounce of prevention is worth a pound of cure

More Related